On 29 April 2015 at 15:07, Simon Phipps <si...@webmink.com> wrote: > On Wed, Apr 29, 2015 at 2:00 PM, Andrea Pescetti <pesce...@apache.org> > wrote: > > > Simon Phipps wrote: > > > >> Given this problem is not fixed in the current download, should the > >> project > >> suspend downloads until it can be addressed? > >> > > > > This looks like a very extreme measure to take. The severity of the issue > > would not justify it. > > > Can you explain that please? The CVE says "Severity: Important" and the > effects are "a denial of service or possibly execution of arbitrary code by > preparing specially crafted documents in the HWP document format." > > The fact we are unaware of current exploits does not mitigate the risk > arising from distributing the software, and the rarity of the file format > does not reduce the likelihood of it being used in an exploit. Maybe I am > missing some of the context from the private security list? > It seems to be an extremely seldom used feature, that makes the exploit unlikely.
I am with Andrea, stopping downloads would not be right in this case. rgds jan I. > > Thanks, > > S. >
